[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Getting LDAP and SASL (digest-md5) to play nice
Rick Stevens wrote:
So, SASL is happy with an entry in the sasldb, but obviously that DN
isn't in the LDAP database. So, I added an authz-regexp:
authz-regexp
uid=([^,]*),cn=[^,]*,cn=auth
uid=$1,ou=people,ou=People,dc=gbsbilling,dc=com
Now, ldapwhoami gives me:
[root@prophead ~]# ldapwhoami -w unix__gort
SASL/DIGEST-MD5 authentication started
SASL username: root
SASL SSF: 128
SASL installing layers
dn:uid=root,ou=people,ou=people,dc=gbsbilling,dc=com
Result: Success (0)
Isn't that grand! That's what I want (I think),
Is that really what you think? Look closely.
> dn:uid=root,ou=people,ou=people,dc=gbsbilling,dc=com
but it requires
me to put an entry in the sasldb and I don't think that's necessary
from what I gather from the docs. However, without it, I can't
authenticate at all, and therefore can't even get to LDAP.
That being said, even that doesn't appear to be enough as I have an
access rule:
access to attrs=userPassword
by dn="uid=root,ou=people,dc=gbsbilling,dc=com" write
And again, look closely.
> by dn="uid=root,ou=people,dc=gbsbilling,dc=com" write
by dn="cn=manager,dc=gbsbilling,dc=com" write
by dn="cn=manager,ou=aliases,dc=gbsbilling,dc=com" write
by anonymous auth
by self write
by * none
Pay attention to what you're doing.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/